While you asked a simple question, the answer can sometimes be more complex. And while I can't specifically tell you how to define these types of vendors (that is up to your organization), I can tell you what you need to consider in these situations.
With every vendor engagement, your organization must identify if that vendor (product or service) is critical to your organization. Critical vendors can significantly impact your organization or its customers should they fail or have an extended unplanned outage. When we are trying to figure out who is critical, these three questions can help.
- Would a sudden loss of this third party cause a significant disruption to our business?
- Would the sudden loss impact our customers?
- If the service is disrupted, would there be a negative impact on our operations if restoring service took more than 24 hours?
If the answer to ANY of these questions is "YES," it's a critical vendor or essential to your day-to-day operations.
Using those criteria, you may determine that your internet or telecom providers are critical. Well, here is the twist, even though those services may be integral to your daily business, they might also be out of scope for your TPRM program. The rationale is that services that fall into the category of public utility, for example, are typically not included in TPRM because:
- They are available for everyone. Your organization is not taking on unique risks by engaging in the product or service. (Everyone must have phones, internet, etc.)
- The products or services are not tailored to your organization-(everyone gets the same service)
- If the service fails, your organization will not be uniquely impacted (Power goes out for everyone).
- The contract is typically a service agreement, and you have no negotiating power over pricing, service levels, etc.
- Your organization cannot influence the vendor's performance
- It is not possible to obtain the due diligence information necessary to conduct an effective vendor risk assessment
It is important to consider all these factors because your TPRM program is about identifying and mitigating risks. Even though your phone company is key to your organization's ability to do business, there may be little to nothing your organization can do to effectively mitigate the risks in these relationships, especially regarding the vendor's risk practices and control environment. And would it be reasonable and practical to include them on your list of critical vendors (which require the highest amount of due diligence, monitoring, and management) when your organization is not taking on any unique risks? Probably not, but does that mean you don't have to pay attention to them? Not necessarily. All products and services essential to your day-to-day operations should be considered in your organization's internal business continuity management planning, even if they are out of the scope of your TPRM program.
My advice here is to
- Conduct your inherent risk assessment to determine the types and amounts of risks in the relationship
- Determine if the vendor is critical
- Determine if the vendor type is within the scope of your TPRM activities
- If the vendor is "essential to day to day" but out of scope for your program, engage your internal BCP planning team to discuss to determine how the product or service will be accounted for in the organization's BCP plan.
- Always make sure you can articulate your rationale for including or excluding a vendor type for your TPRM scope (auditors and examiners will want to know).
I know that is a lot of information to consider, but I hope it is helpful. I would love to hear from other members too.
Original Message:
Sent: 01-11-2023 05:40 PM
From: Anonymous Member
Subject: Tier Classification Question
This message was posted by a user wishing to remain anonymous
Good Afternoon!
Within your Third-Party Risk Management Program, how do you define a vendor providing a solution that is key to the infrastructure of the bank (ex. Internet, telephone, etc).
Thank You!